top | item 10695494

(no title)

nullrouted | 10 years ago

tl:dr Used cloudflare for DNS and Level3/Blacklotus for network filtering.

In DDoS attacks you have three models: On-Prem: Buy hardware and big fat internet pipes to filter traffic (expensive / time \ resrouce intensive) Hybrid: On-Prem devices that can mitigate X/Mbps and then starts announcing your routes after X to their cloud scrubbing centers which can filter it at a much higher capacity (best option) Cloud: Full on filtering by a provider where all your traffic goes through their scrubbing centers full time (usually adds latency, extremely expensive)

The hybrid model is the best and what most companies are going to as it allows you to filter smaller attacks out with little cost as well as scaling up to large 100 Gb/s+ attacks without having to buy massive amounts of hardware/transit.

discuss

prdonahue|10 years ago

How do you define "extremely expensive"? CloudFlare's Business Plan ($200/mo) includes advanced DDoS mitigation: https://www.cloudflare.com/ddos/.

Also, due to caching of assets in PoPs close to end-users (and TLS termination at the edge), the site is often much faster than without DDoS protection.

franimals|10 years ago

Well CloudFlare works if you're mainly worried about responding to HTTP(S) traffic. In this the company was responsible SMTP, POP, etc which CloudFlare doesn't really handle.

Additionally as is mentioned in the article - If the attacker knows your public IP address they can easily bypass CloudFlare by simply directing the traffic to you and not CF.

nullrouted|10 years ago

Cloudflare is a WAF/Proxy that can handle DDoS, it isn't a DDoS specific product. If your actual network space is getting hit (e.g. 8.8.8.8) cloudflare will not help you.

vox_mollis|10 years ago

How do you define "extremely expensive"?

Always-on scrubbing will typically run you $10k provisioning and $6-9k monthly for 100mbps of clean bandwidth from most of the providers.